Malicious mobile code runtime monitoring system and methods

ABSTRACT

Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java™ applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides, within a server, firewall or other suitable “recommunicator,” for monitoring information received by the communicator, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information, more suitably by forming a protection agent including the MPC, protection policies and a detected-Downloadable. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts, more suitably in conjunction with protection policies.

PRIORITY REFERENCE TO RELATED APPLICATIONS

[0001] This application claims benefit of and hereby incorporates byreference provisional application Ser. No. 60/205,591, entitled“Computer Network Malicious Code Run-time Monitoring,” filed on May 17,2000 by inventors Nimrod Itzhak Vered, et al. This application is also aContinuation-In-Part of and hereby incorporates by reference patentapplication Ser. No. 09/539,667, entitled “System and Method forProtecting a Computer and a Network From Hostile Downloadables” filed onMar. 30, 2000 by inventor Shlomo Touboul. This application is also aContinuation-In-Part of and hereby incorporates by reference patentapplication Ser. No. 09/551,302, entitled “System and Method forProtecting a Client During Runtime From Hostile Downloadables”, filed onApr. 18, 2000 by inventor Shlomo Touboul.

BACKGROUND OF THE INVENTION

[0002] 1. Field of the Invention

[0003] This invention relates generally to computer networks, and moreparticularly provides a system and methods for protectingnetwork-connectable devices from undesirable downloadable operation.

[0004] 2. Description of the Background Art

[0005] Advances in networking technology continue to impact anincreasing number and diversity of users. The Internet, for example,already provides to expert, intermediate and even novice users theinformational, product and service resources of over 100,000interconnected networks owned by governments, universities, nonprofitgroups, companies, etc. Unfortunately, particularly the Internet andother public networks have also become a major source of potentiallysystem-fatal or otherwise damaging computer code commonly referred to as“viruses.”

[0006] Efforts to forestall viruses from attacking networked computershave thus far met with only limited success at best. Typically, a virusprotection program designed to identify and remove or protect againstthe initiating of known viruses is installed on a network firewall orindividually networked computer. The program is then inevitablysurmounted by some new virus that often causes damage to one or morecomputers. The damage is then assessed and, if isolated, the new virusis analyzed. A corresponding new virus protection program (or updatethereof) is then developed and installed to combat the new virus, andthe new program operates successfully until yet another new virusappears—and so on. Of course, damage has already typically beenincurred.

[0007] To make matters worse, certain classes of viruses are not wellrecognized or understood, let alone protected against. It is observed bythis inventor, for example, that Downloadable information comprisingprogram code can include distributable components (e.g. Java™ appletsand JavaScript scripts, ActiveX™ controls, Visual Basic, add-ins and/orothers). It can also include, for example, application programs, Trojanhorses, multiple compressed programs such as zip or meta files, amongothers. U.S. Pat. No. 5,983,348 to Shuang, however, teaches a protectionsystem for protecting against only distributable components including“Java applets or ActiveX controls”, and further does so using resourceintensive and high bandwidth static Downloadable content and operationalanalysis, and modification of the Downloadable component; Shuang furtherfails to detect or protect against additional program code includedwithin a tested Downloadable. U.S. Pat. No. 5,974,549 to Golan teaches aprotection system that further focuses only on protecting againstActiveX controls and not other distributable components, let alone otherDownloadable types. U.S. Pat. No. 6,167,520 to Touboul enables moreaccurate protection than Shuang or Golan, but lacks the greaterflexibility and efficiency taught herein, as do Shuang and Golan.

[0008] Accordingly, there remains a need for efficient, accurate andflexible protection of computers and other network connectable devicesfrom malicious Downloadables.

SUMMARY OF THE INVENTION

[0009] The present invention provides protection systems and methodscapable of protecting a personal computer (“PC”) or other persistentlyor even intermittently network accessible devices or processes fromharmful, undesirable, suspicious or other “malicious” operations thatmight otherwise be effectuated by remotely operable code. While enablingthe capabilities of prior systems, the present invention is not nearlyso limited, resource intensive or inflexible, and yet enables morereliable protection. For example, remotely operable code that isprotectable against can include downloadable application programs,Trojan horses and program code groupings, as well as software“components”, such as Java™ applets, ActiveX™ controls,JavaScript™/Visual Basic scripts, add-ins, etc., among others.Protection can also be provided in a distributed interactively,automatically or mixed configurable manner using protected client,server or other parameters, redirection, local/remote logging, etc., andother server/client based protection measures can also be separatelyand/or interoperably utilized, among other examples.

[0010] In one aspect, embodiments of the invention provide fordetermining, within one or more network “servers” (e.g. fireballs,resources, gateways, email relays or other devices/processes that arecapable of receiving-and-transferring a Downloadable) whether receivedinformation includes executable code (and is a “Downloadable”).Embodiments also provide for delivering static, configurable and/orextensible remotely operable protection policies to aDownloadable-destination, more typically as a sandboxed packageincluding the mobile protection code, downloadable policies and one ormore received Downloadables. Further client-based or remote protectioncode/policies can also be utilized in a distributed manner. Embodimentsalso provide for causing the mobile protection code to be executedwithin a Downloadable-destination in a manner that enables variousDownloadable operations to be detected, intercepted or further respondedto via protection operations. Additional server/information-destinationdevice security or other protection is also enabled, among still furtheraspects.

[0011] A protection engine according to an embodiment of the inventionis operable within one or more network servers, firewalls or othernetwork connectable information re-communicating devices (as arereferred to herein summarily one or more “servers” or“re-communicators”). The protection engine includes an informationmonitor for monitoring information received by the server, and a codedetection engine for determining whether the received informationincludes executable code. The protection engine also includes apackaging engine for causing a sandboxed package, typically includingmobile protection code and downloadable protection policies to be sentto a Downloadable-destination in conjunction with the receivedinformation, if the received information is determined to be aDownloadable.

[0012] A sandboxed package according to an embodiment of the inventionis receivable by and operable with a remote Downloadable-destination.The sandboxed package includes mobile protection code (“MPC”) forcausing one or more predetermined malicious operations or operationcombinations of a Downloadable to be monitored or otherwise intercepted.The sandboxed package also includes protection policies (operable aloneor in conjunction with further Downloadable-destination stored orreceived policies/MPCs) for causing one or more predetermined operationsto be performed if one or more undesirable operations of theDownloadable is/are intercepted. The sandboxed package can also includea corresponding Downloadable and can provide for initiating theDownloadable in a protective “sandbox”. The MPC/policies can furtherinclude a communicator for enabling further MPC/policy information or“modules” to be utilized and/or for event logging or other purposes.

[0013] A sandbox protection system according to an embodiment of theinvention comprises an installer for enabling a received MPC to beexecuted within a Downloadable-destination (device/process) and furthercausing a Downloadable application program, distributable component orother received downloadable code to be received and installed within theDownloadable-destination. The protection system also includes a diverterfor monitoring one or more operation attempts of the Downloadable, anoperation analyzer for determining one or more responses to theattempts, and a security enforcer for effectuating responses to themonitored operations. The protection system can further include one ormore security policies according to which one or more protection systemelements are operable automatically (e.g. programmatically) or inconjunction with user intervention (e.g. as enabled by the securityenforcer). The security policies can also be configurable/extensible inaccordance with further downloadable and/or Downloadable-destinationinformation.

[0014] A method according to an embodiment of the invention includesreceiving downloadable information, determining whether the downloadableinformation includes executable code, and causing a mobile protectioncode and security policies to be communicated to a network client inconjunction with security policies and the downloadable information ifthe downloadable information is determined to include executable code.The determining can further provide multiple tests for detecting, aloneor together, whether the downloadable information includes executablecode.

[0015] A further method according to an embodiment of the inventionincludes forming a sandboxed package that includes mobile protectioncode (“MPC”), protection policies, and a received,detected-Downloadable, and causing the sandboxed package to becommunicated to and installed by a receiving device or process (“userdevice”) for responding to one or more malicious operation attempts bythe detected-Downloadable from within the user device. The MPC/policiescan further include a base “module” and a “communicator” for enablingfurther up/downloading of one or more further “modules” or otherinformation (e.g. events, user/user device information, etc.).

[0016] Another method according to an embodiment of the inventionincludes installing, within a user device, received mobile protectioncode (“MPC”) and protection policies in conjunction with the user devicereceiving a downloadable application program, component or otherDownloadable(s). The method also includes determining, by the MPC, aresource access attempt by the Downloadable, and initiating, by the MPC,one or more predetermined operations corresponding to the attempt.(Predetermined operations can, for example, comprise initiating user,administrator, client, network or protection system determinableoperations, including but not limited to modifying the Downloadableoperation, extricating the Downloadable, notifying a user/another,maintaining a local/remote log, causing one or more MPCs/policies to bedownloaded, etc.)

[0017] Advantageously, systems and methods according to embodiments ofthe invention enable potentially damaging, undesirable or otherwisemalicious operations by even unknown mobile code to be detected,prevented, modified and/or otherwise protected against without modifyingthe mobile code. Such protection is further enabled in a manner that iscapable of minimizing server and client resource requirements, does notrequire pre-installation of security code within aDownloadable-destination, and provides for client specific or genericand readily updateable security measures to be flexibly and efficientlyimplemented. Embodiments further provide for thwarting efforts to bypasssecurity measures (e.g. by “hiding” undesirable operation causinginformation within apparently inert or otherwise “friendly” downloadableinformation) and/or dividing or combining security measures for evengreater flexibility and/or efficiency.

[0018] Embodiments also provide for determining protection policies thatcan be downloaded and/or ascertained from other security information(e.g. browser settings, administrative policies, user input, uploadedinformation, etc.). Different actions in response to differentDownloadable operations, clients, users and/or other criteria are alsoenabled, and embodiments provide for implementing other securitymeasures, such as verifying a downloadable source, certification,authentication, etc. Appropriate action can also be accomplishedautomatically (e.g. programmatically) and/or in conjunction withalerting one or more users/administrators, utilizing user input, etc.Embodiments further enable desirable Downloadable operations to remainsubstantially unaffected, among other aspects.

BRIEF DESCRIPTION OF THE DRAWINGS

[0019]FIG. 1a is a block diagram illustrating a network system inaccordance with an embodiment of the present invention;

[0020]FIG. 1b is a block diagram illustrating a network subsystemexample in accordance with an embodiment of the invention;

[0021]FIG. 1c is a block diagram illustrating a further networksubsystem example in accordance with an embodiment of the invention;

[0022]FIG. 2 is a block diagram illustrating a computer system inaccordance with an embodiment of the invention;

[0023]FIG. 3 is a flow diagram broadly illustrating a protection systemhost according to an embodiment of the invention;

[0024]FIG. 4 is a block diagram illustrating a protection engineaccording to an embodiment of the invention;

[0025]FIG. 5 is a block diagram illustrating a content inspection engineaccording to an embodiment of the invention;

[0026]FIG. 6a is a block diagram illustrating protection engineparameters according to an embodiment of the invention;

[0027]FIG. 6b is a flow diagram illustrating a linking engine use inconjunction with ordinary, compressed and distributable sandbox packageutilization, according to an embodiment of the invention;

[0028]FIG. 7a is a flow diagram illustrating a sandbox protection systemoperating within a destination system, according to an embodiment of theinvention;

[0029]FIG. 7b is a block diagram illustrating memory allocation usablein conjunction with the protection system of FIG. 7a, according to anembodiment of the invention;

[0030]FIG. 7c is a block diagram illustrating a mobile protection codeaccording to an embodiment of the invention;

[0031]FIG. 8 is a flowchart illustrating a method for examining aDownloadable in accordance with the present invention;

[0032]FIG. 9 is a flowchart illustrating a server based protectionmethod according to an embodiment of the invention;

[0033]FIG. 10a is a flowchart illustrating method for determining if apotential-Downloadable includes or is likely to include executable code,according to an embodiment of the invention;

[0034]FIG. 10b is a flowchart illustrating a method for forming aprotection agent, according to an embodiment of the invention;

[0035]FIG. 11 is a flowchart illustrating a method for protecting aDownloadable destination according to an embodiment of the invention;

[0036]FIG. 12a is a flowchart illustrating a method for forming aDownloadable access interceptor according to an embodiment of theinvention; and

[0037]FIG. 12b is a flowchart illustrating a method for implementingmobile protection policies according to an embodiment of the invention.

DETAILED DESCRIPTION

[0038] In providing malicious mobile code runtime monitoring systems andmethods, embodiments of the invention enable actually or potentiallyundesirable operations of even unknown malicious code to be efficientlyand flexibly avoided. Embodiments provide, within one or more “servers”(e.g. firewalls, resources, gateways, email relays or other informationre-communicating devices), for receiving downloadable-information anddetecting whether the downloadable-information includes one or moreinstances of executable code (e.g. as with a Trojan horse, zip/meta fileetc.). Embodiments also provide for separately or interoperablyconducting additional security measures within the server, within aDownloadable-destination of a detected-Downloadable, or both.

[0039] Embodiments further provide for causing mobile protection code(“MPC”) and downloadable protection policies to be communicated to,installed and executed within one or more received informationdestinations in conjunction with a detected-Downloadable. Embodimentsalso provide, within an information-destination, for detecting maliciousoperations of the detected-Downloadable and causing responses thereto inaccordance with the protection policies (which can correspond to one ormore user, Downloadable, source, destination, or other parameters), orfurther downloaded or downloadable-destination based policies (which canalso be configurable or extensible). (Note that the term “or”, as usedherein, is generally intended to mean “and/or” unless otherwiseindicated.)

[0040]FIGS. 1a through 1 c illustrate a computer network system 100according to an embodiment of the invention. FIG. 1a broadly illustratessystem 100, while FIGS. 1b and 1 c illustrate exemplary protectablesubsystem implementations corresponding with system 104 or 106 of FIG.1a.

[0041] Beginning with FIG. 1a, computer network system 100 includes anexternal computer network 101, such as a Wide Area Network or “WAN”(e.g. the Internet), which is coupled to one or more network resourceservers (summarily depicted as resource server-1 102 and resourceserver-N 103). Where external network 101 includes the Internet,resource servers 1-N (102, 103) might provide one or more resourcesincluding web pages, streaming media, transaction-facilitatinginformation, program updates or other downloadable information,summarily depicted as resources 121, 131 and 132. Such information canalso include more traditionally viewed “Downloadables” or “mobile code”(i.e. distributable components), as well as downloadable applicationprograms or other further Downloadables, such as those that arediscussed herein. (It will be appreciated that interconnected networkscan also provide various other resources as well.)

[0042] Also coupled via external network 101 are subsystems 104-106.Subsystems 104-106 can, for example, include one or more servers,personal computers (“PCs”), smart appliances, personal informationmanagers or other devices/processes that are at least temporarily orotherwise intermittently directly or indirectly connectable in a wiredor wireless manner to external network 101 (e.g. using a dialup, DSL,cable modem, cellular connection, IR/RF, or various other suitablecurrent or future connection alternatives). One or more of subsystems104-106 might further operate as user devices that are connectable toexternal network 101 via an internet service provider (“ISP”) or localarea network (“LAN”), such as a corporate intranet, or home, portabledevice or smart appliance network, among other examples.

[0043]FIG. 1a also broadly illustrates how embodiments of the inventionare capable of selectively, modifiably or extensibly providingprotection to one or more determinable ones of networked subsystems104-106 or elements thereof (not shown) against potentially harmful orother undesirable (“malicious”) effects in conjunction with receivingdownloadable information. “Protected” subsystem 104, for example,utilizes a protection in accordance with the teachings herein, while“unprotected” subsystem-N 105 employs no protection, and protectedsubsystem-M 106 might employ one or more protections including thoseaccording to the teachings herein, other protection, or somecombination.

[0044] System 100 implementations are also capable of providingprotection to redundant elements 107 of one or more of subsystems104-106 that might be utilized, such as backups, failsafe elements,redundant networks, etc. Where included, such redundant elements arealso similarly protectable in a separate, combined or coordinated mannerusing embodiments of the present invention either alone or inconjunction with other protection mechanisms. In such cases, protectioncan be similarly provided singly, as a composite of component operationsor in a backup fashion. Care should, however, be exercised to avoidpotential repeated protection engine execution corresponding to a singleDownloadable; such “chaining” can cause a Downloadable to operateincorrectly or not at all, unless a subsequent detection engine isconfigured to recognize a prior packaging of the Downloadable.

[0045]FIGS. 1b and 1 c further illustrate, by way of example, howprotection systems according to embodiments of the invention can beutilized in conjunction with a wide variety of different systemimplementations. In the illustrated examples, system elements aregenerally configurable in a manner commonly referred to as a“client-server” configuration, as is typically utilized for accessingInternet and many other network resources. For clarity sake, a simpleclient-server configuration will be presumed unless otherwise indicated.It will be appreciated, however, that other configurations ofinterconnected elements might also be utilized (e.g. peer-peer, routers,proxy servers, networks, converters, gateways, services, networkreconfiguring elements, etc.) in accordance with a particularapplication.

[0046] The FIG. 1b example shows how a suitable protected system 104 a(which can correspond to subsystem-l 104 or subsystem-M 106 of FIG. 1)can include a protection-initiating host “server” or “re-communicator”(e.g. ISP serverl40 a), one or more user devices or“Downloadable-destinations” 145, and zero or more redundant elements(which elements are summarily depicted as redundant clientdevice/process 145 a). In this example, ISP server 140 a includes one ormore email, Internet or other servers 141 a, or other devices orprocesses capable of transferring or otherwise “re-communicating”downloadable information to user devices 145. Server 141 a furtherincludes protection engine or “PE” 142 a, which is capable of supplyingmobile protection code (“MPC”) and protection policies for execution byclient devices 145. One or more of user devices 145 can further includea respective one or more clients 146 for utilizing information receivedvia server 140 a, in accordance with which MPC and protection policiesare operable to protect user devices 145 from detrimental, undesirableor otherwise “malicious” operations of downloadable information alsoreceived by user device 145.

[0047] The FIG. 1c example shows how a further suitable protected system104 b can include, in addition to a “re-communicator”, such as server142 b, a firewall 143 c (e.g. as is typically the case with a corporateintranet and many existing or proposed home/smart networks.) In suchcases, a server 141 b or firewall 143 can operate as a suitableprotection engine host. A protection engine can also be implemented in amore distributed manner among two or more protection engine host systemsor host system elements, such as both of server 141 b and firewall 143,or in a more integrated manner, for example, as a standalone device.Redundant system or system protection elements can also be similarlyprovided in a more distributed or integrated manner (see above).

[0048] System 104 b also includes internal network 144 and user devices145. User devices 145 further include a respective one or more clients146 for utilizing information received via server 140 a, in accordancewith which the MPCs or protection policies are operable. (As in theprevious example, one or more of user devices 145 can also include orcorrespond with similarly protectable redundant system elements, whichare not shown.)

[0049] It will be appreciated that the configurations of FIGS. 1a-1 care merely exemplary. Alternative embodiments might, for example,utilize other suitable connections, devices or processes. One or moredevices can also be configurable to operate as a network server,firewall, smart router, a resource server servicing deliverablethird-party/manufacturer postings, a user device operating as afirewall/server, or other information-suppliers or intermediaries (i.e.as a “re-communicator” or “server”) for servicing one or more furtherinterconnected devices or processes or interconnected levels of devicesor processes. Thus, for example, a suitable protection engine host caninclude one or more devices or processes capable of providing orsupporting the providing of mobile protection code or other protectionconsistent with the teachings herein. A suitable information-destinationor “user device” can further include one or more devices or processes(such as email, browser or other clients) that are capable of receivingand initiating or otherwise hosting a mobile code execution.

[0050]FIG. 2 illustrates an exemplary computing system 200, that cancomprise one or more of the elements of FIGS. 1a through 1 c. Whileother application-specific alternatives might be utilized, it will bepresumed for clarity sake that system 100 elements (FIGS. 1a-c) areimplemented in hardware, software or some combination by one or moreprocessing systems consistent therewith, unless otherwise indicated.

[0051] Computer system 200 comprises elements coupled via communicationchannels (e.g. bus 201) including one or more general or special purposeprocessors 202, such as a Pentium® or Power PC®, digital signalprocessor (“DSP”), etc. System 200 elements also include one or moreinput devices 203 (such as a mouse, keyboard, microphone, pen, etc.),and one or more output devices 204, such as a suitable display,speakers, actuators, etc., in accordance with a particular application.

[0052] System 200 also includes a computer readable storage media reader205 coupled to a computer readable storage medium 206, such as astorage/memory device or hard or removable storage/memory media; suchdevices or media are further indicated separately as storage device 208and memory 209, which can include hard disk variants, floppy/compactdisk variants, digital versatile disk (“DVD”) variants, smart cards,read only memory, random access memory, cache memory, etc., inaccordance with a particular application. One or more suitablecommunication devices 207 can also be included, such as a modem, DSL,infrared or other suitable transceiver, etc. for providing inter-devicecommunication directly or via one or more suitable private or publicnetworks that can include but are not limited to those alreadydiscussed.

[0053] Working memory further includes operating system (“OS”) elementsand other programs, such as application programs, mobile code, data,etc. for implementing system 100 elements that might be stored or loadedtherein during use. The particular OS can vary in accordance with aparticular device, features or other aspects in accordance with aparticular application (e.g. Windows, Mac, Linux, Unix or Palm OSvariants, a proprietary OS, etc.). Various programming languages orother tools can also be utilized, such as C++, Java, Visual Basic, etc.As will be discussed, embodiments can also include a network client suchas a browser or email client, e.g. as produced by Netscape, Microsoft orothers, a mobile code executor such as an OS task manager, Java VirtualMachine (“JVM”), etc., and an application program interface (“API”),such as a Microsoft Windows or other suitable element in accordance withthe teachings herein. (It will also become apparent that embodimentsmight also be implemented in conjunction with a resident application orcombination of mobile code and resident application components.)

[0054] One or more system 200 elements can also be implemented inhardware, software or a suitable combination. When implemented insoftware (e.g. as an application program, object, downloadable, servlet,etc. in whole or part), a system 200 element can be communicatedtransitionally or more persistently from local or remote storage tomemory (or cache memory, etc.) for execution, or another suitablemechanism can be utilized, and elements can be implemented in compiledor interpretive form. Input, intermediate or resulting data orfunctional elements can further reside more transitionally or morepersistently in a storage media, cache or more persistent volatile ornon-volatile memory, (e.g. storage device 207 or memory 208) inaccordance with a particular application.

[0055]FIG. 3 illustrates an interconnected re-communicator 300 generallyconsistent with system 140 b of FIG. 1, according to an embodiment ofthe invention. As with system 140 b, system 300 includes a server 301,and can also include a firewall 302. In this implementation, however,either server 301 or firewall 302 (if a firewall is used) can furtherinclude a protection engine (310 or 320 respectively). Thus, forexample, an included firewall can process received information in aconventional manner, the results of which can be further processed byprotection engine 310 of server 301, or information processed byprotection engine 320 of an included firewall 302 can be processed in aconventional manner by server 301. (For clarity sake, a server includinga singular protection engine will be presumed, with or without afirewall, for the remainder of the discussion unless otherwiseindicated. Note, however, that other embodiments consistent with theteachings herein might also be utilized.)

[0056]FIG. 3 also shows how information received by server 301 (orfirewall 302) can include non-executable information, executableinformation or a combination of non-executable and one or moreexecutable code portions (e.g. so-called Trojan horses that include ahostile Downloadable within a friendly one, combined, compressed orotherwise encoded files, etc.). Particularly such combinations willlikely remain undetected by a firewall or other more conventionalprotection systems. Thus, for convenience, received information willalso be referred to as a “potential-Downloadable”, and receivedinformation found to include executable code will be referred to as a“Downloadable” or equivalently as a “detected-Downloadable” (regardlessof whether the executable code includes one or more applicationprograms, distributable “components” such as Java, ActiveX, add-in,etc.).

[0057] Protection engine 310 provides for detecting whether receivedpotential-Downloadables include executable code, and upon suchdetection, for causing mobile protection code (“MPC”) to be transferredto a device that is a destination of the potential-Downloadable (or“Downloadable-destination”). Protection engine 310 can also provideprotection policies in conjunction with the MPC (or thereafter as well),which MPC/policies can be automatically (e.g. programmatically) orinteractively configurable in accordance user, administrator,downloadable source, destination, operation, type or various otherparameters alone or in combination (see below). Protection engine 310can also provide or operate separately or interoperably in conjunctionwith one or more of certification, authentication, downloadable tagging,source checking, verification, logging, diverting or other protectionservices via the MPC, policies, other local/remote server or destinationprocessing, etc. (e.g. which can also include protection mechanismstaught by the above-noted prior applications; see FIG. 4).

[0058] Operationally, protection engine 310 of server 301 monitorsinformation received by server 301 and determines whether the receivedinformation is deliverable to a protected destination, e.g. using asuitable monitor/data transfer mechanism and comparing adestination-address of the received information to a protecteddestination set, such as a protected destinations list, array, database,etc. (All deliverable information or one or more subsets thereof mightalso be monitored.) Protection engine 310 further analyzes thepotential-Downloadable and determines whether the potential-Downloadableincludes executable code. If not, protection engine 310 enables the notexecutable potential-Downloadable 331 to be delivered to its destinationin an unaffected manner.

[0059] In conjunction with determining that the potential-Downloadableis a detected-Downloadable, protection engine 310 also causes mobileprotection code or “MPC” 341 to be communicated to theDownloadable-destination of the Downloadable, more suitably inconjunction with the detected-Downloadable 343 (see below). Protectionengine 310 further causes downloadable protection policies 342 to bedelivered to the Downloadable-destination, again more suitably inconjunction with the detected-Downloadable. Protection policies 342provide parameters (or can additionally or alternatively provideadditional mobile code) according to which the MPC is capable ofdetermining or providing applicable protection to aDownloadable-destination against malicious Downloadable operations.

[0060] (One or more “checked”, tag, source, destination, type, detectionor other security result indicators, which are not shown, can also beprovided as corresponding to determined non-Downloadables orDownloadables, e.g. for testing, logging, further processing, furtheridentification tagging or other purposes in accordance with a particularapplication.)

[0061] Further MPCs, protection policies or other information are alsodeliverable to a the same or another destination, for example, inaccordance with communication by an MPC/protection policies alreadydelivered to a downloadable-destination. Initial or subsequentMPCs/policies can further be selected or configured in accordance with aDownloadable-destination indicated by the detected-Downloadable,destination-user or administrative information, or other informationprovidable to protection engine 310 by a user, administrator, usersystem, user system examination by a communicated MPC, etc, (Thus, forexample, an initial MPC/policies can also be initially provided that areoperable with or optimized for more efficient operation with differentDownloadable-destinations or destination capabilities.)

[0062] While integrated protection constraints within the MPC might alsobe utilized, providing separate protection policies has been found to bemore efficient, for example, by enabling more specific protectionconstraints to be more easily updated in conjunction withdetected-Downloadable specifics, post-download improvements, testing,etc. Separate policies can further be more efficiently provided (e.g.selected, modified, instantiated, etc.) with or separately from an MPC,or in accordance with the requirements of a particular user, device,system, administration, later improvement, etc., as might also beprovided to protection engine 310 (e.g. via user/MPC uploading,querying, parsing a Downloadable, or other suitable mechanismimplemented by one or more servers or Downloadable-destinations).

[0063] (It will also become apparent that performing executable codedetection and communicating to a downloadable-Destination an MPC and anyapplicable policies as separate from a detected-Downloadable is moreaccurate and far less resource intensive than, for example, performingcontent and operation scanning, modifying a Downloadable, or providingcompletely Downloadable-destination based security.) System 300 enablesa single or extensible base-MPC to be provided, in anticipation or uponreceipt of a first Downloadable, that is utilized thereafter to provideprotection of one or more Downloadable-destinations. It is found,however, that providing an MPC upon each detection of a Downloadable(which is also enabled) can provide a desirable combination ofconfigurability of the MPC/policies and lessened need for management(e.g. given potentially changing user/destination needs, enablingtesting, etc.).

[0064] Providing an MPC upon each detection of a Downloadable alsofacilitates a lessened demand on destination resources, e.g. sinceinformation-destination resources used in executing the MPC/policies canbe re-allocated following such use. Such alternatives can also beselectively, modifiably or extensibly provided (or further in accordancewith other application-specific factors that might also apply.) Thus,for example, a base-MPC or base-policies might be provided to a userdevice that is/are extensible via additionally downloadable “modules”upon server 301 detection of a Downloadable deliverable to the same userdevice, among other alternatives.

[0065] In accordance with a further aspect of the invention, it is foundthat improved efficiency can also be achieved by causing the MPC to beexecuted within a Downloadable-destination in conjunction with, andfurther, prior to initiation of the detected Downloadable. One mechanismthat provides for greater compatibility and efficiency in conjunctionwith conventional client-based Downloadable execution is for aprotection engine to form a sandboxed package 340 including MPC 341, thedetected-Downloadable 343 and any policies 342. For example, where theDownloadable is a binary executable to be executed by an operatingsystem, protection engine 310 forms a protected package byconcatenating, within sandboxed package 340, MPC 341 for delivery to aDownloadable-destination first, followed by protection policies 342 andDownloadable 343. (Concatenation or techniques consistent therewith canalso be utilized for providing a protecting package corresponding to aJava applet for execution by a JVM of a Downloadable-destination, orwith regard to ActiveX controls, add-ins or other distributablecomponents, etc.)

[0066] The above concatenation or other suitable processing will resultin the following. Upon receipt of sandboxed package 340 by a compatiblebrowser, email or other destination-client and activating of the packageby a user or the destination-client, the operating system (or a suitableresponsively initiated distributed component host) will attempt toinitiate sandboxed package 340 as a single Downloadable. Such processingwill, however, result in initiating the MPC 341 and—in accordance withfurther aspects of the invention—the MPC will initiate the Downloadablein a protected manner, further in accordance with any applicableincluded or further downloaded protection policies 342. (While system300 is also capable of ascertaining protection policies stored at aDownloadable-destination, e.g. by poll, query, etc. of availabledestination information, including at least initial policies within asuitable protecting package is found to avoid associated securityconcerns or inefficiencies.)

[0067] Turning to FIG. 4, a protection engine 400 generally consistentwith protection engine 310 (or 320) of FIG. 3 is illustrated inaccordance with an embodiment of the invention. Protection engine 400comprises information monitor 401, detection engine 402, and protectedpackaging engine 403, which further includes agent generator 431,storage 404, linking engine 405, and transfer engine 406. Protectionengine 400 can also include a buffer 407, for temporarily storing areceived potential-Downloadable, or one or more systems for conductingadditional authentication, certification, verification or other securityprocessing (e.g. summarily depicted as security system 408) Protectionengine 400 can further provide for selectively re-directing, furtherdirecting, logging, etc. of a potential/detected Downloadable orinformation corresponding thereto in conjunction with detection, othersecurity, etc., in accordance with a particular application.

[0068] (Note that FIG. 4, as with other figures included herein, alsodepicts exemplary signal flow arrows; such arrows are provided tofacilitate discussion, and should not be construed as exclusive orotherwise limiting.)

[0069] Information monitor 401 monitors potential-Downloadables receivedby a host server and provides the information via buffer 407 todetection engine 402 or to other system 400 elements. Informationmonitor 401 can be configured to monitor host server download operationsin conjunction with a user or a user-device that has logged-on to theserver, or to receive information via a server operation hook, servlet,communication channel or other suitable mechanism.

[0070] Information monitor 401 can also provide for transferring, tostorage 404 or other protection engine elements, configurationinformation including, for example, user, MPC, protection policy,interfacing or other configuration information (e.g. see FIG. 6). Suchconfiguration information monitoring can be conducted in accordance witha user/device logging onto or otherwise accessing a host server, via oneor more of configuration operations, using an applet to acquire suchinformation from or for a particular user, device or devices, viaMPC/policy polling of a user device, or via other suitable mechanisms.

[0071] Detection engine 402 includes code detector 421, which receives apotential-Downloadable and determines, more suitably in conjunction withinspection parameters 422, whether the potential-Downloadable includesexecutable code and is thus a “detected-Downloadable”. (Code detector421 can also include detection processors for performing filedecompression or other “decoding”, or such detection-facilitatingprocessing as decryption, utilization/support of security system 408,etc. in accordance with a particular application.)

[0072] Detection engine 402 further transfers a detected-downloadable(“XEQ”) to protected packaging engine 403 along with indicators of suchdetection, or a determined non-executable (“NXEQ”) to transfer engine406. (Inspection parameters 422 enable analysis criteria to be readilyupdated or varied, for example, in accordance with particular source,destination or other potential Downloadable impacting parameters, andare discussed in greater detail with reference to FIG. 5). Detectionengine 402 can also provide indicators for delivery of initial andfurther MPCs/policies, for example, prior to or in conjunction withdetecting a Downloadable and further upon receipt of an indicator froman already downloaded MPC/policy. A downloaded MPC/policy can furtherremain resident at a user device with further modules downloaded upon oreven after delivery of a sandboxed package. Such distribution can alsobe provided in a configurable manner, such that delivery of a completepackage or partial packages are automatically or interactivelydeterminable in accordance with user/administrativepreferences/policies, among other examples.

[0073] Packaging engine 403 provides for generating mobile protectioncode and protection policies, and for causing delivery thereof(typically with a detected Downloadable) to a Downloadable-destinationfor protecting the Downloadable-destination against malicious operationattempts by the detected Downloadable. In this example, packaging engine403 includes agent generator 431, storage 404 and linking engine 405.

[0074] Agent generator 431 includes an MPC generator 432 and aprotection policy generator 433 for “generating” an MPC and a protectionpolicy (or set of policies) respectively upon receiving one or more“generate MPC/policy” indicators from detection engine 402, indicatingthat a potential-Downloadable is a detected-Downloadable. MPC generator432 and protection policy generator 433 provide for generating MPCs andprotection policies respectively in accordance with parameters retrievedfrom storage 404. Agent generator 431 is further capable of providingmultiple MPCs/policies, for example, the same or different MPCs/policiesin accordance with protecting ones of multiple executables within a zipfile, or for providing initial MPCs/policies and then furtherMPCs/policies or MPC/policy “modules” as initiated by further indicatorssuch as given above, via an indicator of an already downloadedMPC/policy or via other suitable mechanisms. (It will be appreciatedthat pre-constructed MPCs/policies or other processing can also beutilized, e.g. via retrieval from storage 404, but with a potentialdecrease in flexibility.)

[0075] MPC generator 432 and protection policy generator 433 are furtherconfigurable. Thus, for example, more generic MPCs/policies can beprovided to all or a grouping of serviced destination-devices (e.g. inaccordance with a similarly configured/administered intranet), ordifferent MPCs/policies that can be configured in accordance with one ormore of user, network administration, Downloadable-destination or otherparameters (e.g. see FIG. 6). As will become apparent, a resulting MPCprovides an operational interface to a destination device/process. Thus,a high degree of flexibility and efficiency is enabled in providing suchan operational interface within different or differently configurableuser devices/processes or other constraints.

[0076] Such configurability further enables particular policies to beutilized in accordance with a particular application (e.g. particularsystem uses, access limitations, user interaction, treating applicationprograms or Java components from a particular known source one way andunknown source ActiveX components, or other considerations). Agentgenerator 431 further transfers a resulting MPC and protection policypair to linking engine 405.

[0077] Linking engine 405 provides for forming from received componentelements (see above) a sandboxed package that can include one or moreinitial or complete MPCs and applicable protection policies, and aDownloadable, such that the sandboxed package will protect a receivingDownloadable-destination from malicious operation by the Downloadable.Linking engine 405 is implementable in a static or configurable mannerin accordance, for example, with characteristics of a particular userdevice/process stored intermittently or more persistently in storage404. Linking engine 405 can also provide for restoring a Downloadable,such as a compressed, encrypted or otherwise encoded file that has beendecompressed, decrypted or otherwise decoded via detection processing(e.g. see FIG. 6b).

[0078] It is discovered, for example, that the manner in which theWindows OS initiates a binary executable or an ActiveX control can beutilized to enable protected initiation of a detected-Downloadable.Linking engine 405 is, for example, configurable to form, for anordinary single-executable Downloadable (e.g. an application program,applet, etc.) a sandboxed package 340 as a concatenation of orderedelements including an MPC 341, applicable policies 342 and theDownloadable or “XEQ” 343 (e.g. see FIG. 4).

[0079] Linking engine 405 is also configurable to form, for aDownloadable received by a server as a compressed single ormultiple-executable Downloadable such as a zipped or meta file, aprotecting package 340 including one or more MPCs, applicable policiesand the one or more included executables of the Downloadable. Forexample, a sandboxed package can be formed in which a single MPC andpolicies precede and thus will affect all such executables as a resultof inflating and installation. An MPC and applicable policies can also,for example, precede each executable, such that each executable will beseparately sandboxed in the same or a different manner according toMPC/policy configuration (see above) upon inflation and installation.(See also FIGS. 5 and 6)

[0080] Linking engine is also configurable to form an initial MPC,MPC-policy or sandboxed package (e.g. prior to upon receipt of adownloadable) or an additional MPC, MPC-policy or sandboxed package(e.g. upon or following receipt of a downloadable), such that suitableMPCs/policies can be provided to a Downloadable-destination or otherdestination in a more distributed manner. In this way, requisitebandwidth or destination resources can be minimized (via two or moresmaller packages) in compromise with latency or other considerationsraised by the additional required communication.

[0081] A configurable linking engine can also be utilized in accordancewith other requirements of particular devices/processes, further ordifferent elements or other permutations in accordance with theteachings herein. (It might, for example be desirable to modify theordering of elements, to provide one or more elements separately, toprovide additional information, such as a header, etc., or perform otherprocessing in accordance with a particular device, protocol or otherapplication considerations.)

[0082] Policy/authentication reader-analyzer 481 summarily depicts otherprotection mechanisms that might be utilized in conjunction withDownloadable detection, such as already discussed, and that can furtherbe configurable to operate in accordance with policies or parameters(summarily depicted by security/authentication policies 482).Integration of such further protection in the depicted configuration,for example, enables a potential-Downloadable from a known unfriendlysource, a source failing authentication or a provided-source that isconfirmed to be fictitious to be summarily discarded, otherwise blocked,flagged, etc. (with or without further processing). Conversely, apotential-Downloadable from a known friendly source (or one confirmed assuch) can be transferred with or without further processing inaccordance with particular application considerations. (Otherconfigurations including pre or post Downloadable detection mechanismsmight also be utilized.)

[0083] Finally, transfer engine 406 of protection agent engine 303provides for receiving and causing linking engine 405 (or otherprotection) results to be transferred to a destination userdevice/process. As depicted, transfer engine 406 is configured toreceive and transfer a Downloadable, a determined non-executable or asandboxed package. However, transfer engine 406 can also be provided ina more configurable manner, such as was already discussed for othersystem 400 elements. (Any one or more of system 400 elements might beconfigurably implemented in accordance with a particular application.)Transfer engine 406 can perform such transfer, for example, by addingthe information to a server transfer queue (not shown) or utilizinganother suitable method.

[0084] Turning to FIG. 5 with reference to FIG. 4, a code detector 421example is illustrated in accordance with an embodiment of theinvention. As shown, code detector 421 includes data fetcher 501, parser502, file-type detector 503, inflator 504 and control 506; otherdepicted elements. While implementable and potentially useful in certaininstances, are found to require substantial overhead, to be lessaccurate in certain instances (see above) and are not utilized in apresent implementation; these will be discussed separately below. Codedetector elements are further configurable in accordance with storedparameters retrievable by data fetcher 501. (A coupling between datafetcher 501 and control 506 has been removed for clarity sake.)

[0085] Data fetcher 501 provides for retrieving a potential-Downloadableor portions thereof stored in buffer 407 or parameters from storage 404,and communicates such information or parameters to parser 502. Parser502 receives a potential-Downloadable or portions thereof from datafetcher 501 and isolates potential-Downloadable elements, such as fileheaders, source, destination, certificates, etc. for use by furtherprocessing elements.

[0086] File type detector 502 receives and determines whether thepotential-Downloadable (likely) is or includes an executable file type.File-reader 502 can, for example, be configured to analyze a receivedpotential-Downloadable for a file header, which is typically included inaccordance with conventional data transfer protocols, such as a portableexecutable or standard “.exe” file format for Windows OS applicationprograms, a Java class header for Java applets, and so on for otherapplications, distributed components, etc. “Zipped”, meta or othercompressed files, which might include one or more executables, alsotypically provide standard single or multi-level headers that can beread and used to identify included executable code (or other includedinformation types). File type detector 502 is also configurable foranalyzing potential-Downloadables for all potential file type delimitersor a more limited subset of potential file type delimiters (e.g. “.exe”or “.com” in conjunction with a DOS or Microsoft Windows OSDownloadable-destination).

[0087] Known file type delimiters can, for example, be stored in a moretemporary or more persistent storage (e.g. storage 404 of FIG. 4) whichfile type detector 502 can compare to a received potential-Downloadable.(Such delimiters can thus also be updated in storage 404 as a new filetype delimiter is provided, or a more limited subset of delimiters canalso be utilized in accordance with a particularDownloadable-destination or other considerations of a particularapplication.) File type detector 502 further transfers to controller 506a detected file type indicator indicating that thepotential-Downloadable includes or does not include (i.e. or likelyinclude) an executable file type.

[0088] In this example, the aforementioned detection processor is alsoincluded as predetection processor or, more particularly, a configurablefile inflator 504. File inflator 504 provides for opening or “inflating”compressed files in accordance with a compressed file type received fromfile type detector 503 and corresponding file opening parametersreceived from data fetcher 501. Where a compressed file (e.g. a metafile) includes nested file type information not otherwise reliablyprovided in an overall file header or other information, inflator 504returns such information to parser 502. File inflator 504 also providesany now-accessible included executables to control 506 where one or moreincluded files are to be separately packaged with an MPC or policies.

[0089] Control 506, in this example, operates in accordance with storedparameters and provides for routing detected non-Downloadables orDownloadables and control information, and for conducting theaforementioned distributed downloading of packages toDownloadable-destinations. In the case of a non-Downloadable, forexample, control 506 sends the non-Downloadable to transfer engine 406(FIG. 4) along with any indicators that might apply. For an ordinarysingle-executable Downloadable, control 506 sends control information toagent generator 431 and the Downloadable to linking engine 405 alongwith any other applicable indicators (see 641 of FIG. 6b). Control 506similarly handles a compressed single-executable Downloadable or amultiple downloadable to be protected using a single sandboxed package.For a multiple-executable Downloadable, control 506 sends controlinformation for each corresponding executable to agent generator agentgenerator 431, and sends the executable to linking engine 405 along withcontrols and any applicable indicators, as in 643 b of FIG. 6b. (Theabove assumes, however, that distributed downloading is not utilized;when used according to applicable parameters—control 506 also operatesin accordance with the following.)

[0090] Control 506 conducts distributed protection (e.g. distributedpackaging) by providing control signals to agent generator 431, linkingengine 405 and transfer engine 406. In the present example, control 506initially sends controls to agent generator 431 and linking engine 405(FIG. 4) causing agent generator to generate an initial MPC and initialpolicies, and sends control and a detected-Downloadable to linkingengine 405. Linking engine 405 forms an initial sandboxed package, whichtransfer engine causes (in conjunction with further controls) to bedownloaded to the Downloadable destination (643 a of FIG. 6b). Aninitial MPC within the sandboxed package includes an installer and acommunicator and performs installation as indicated below. The initialMPC also communicates via the communicator controls to control 506 (FIG.5) in response to which control 506 similarly causes generation of MPC-Mand policy-M modules 643 c, which linking engine 405 links and transferengine 406 causes to be sent to the Downloadable destination, and so onfor any further such modules.

[0091] (It will be appreciated, however, that an initial package mightbe otherwise configured or sent prior to receipt of a Downloadable inaccordance with configuration parameters or user interaction.Information can also be sent to other user devices, such as that of anadministrator. Further MPCs/policies might also be coordinated bycontrol 506 or other elements, or other suitable mechanisms might beutilized in accordance with the teachings herein.)

[0092] Regarding the remaining detection engine elements illustrated inFIG. 5, where content analysis is utilized, parser 502 can also providea Downloadable or portions thereof to content detector 505. Contentdetector 505 can then provide one or more content analyses. Binarydetector 551, for example, performs detection of binary information;pattern detector 552 further analyzes the Downloadable for patternsindicating executable code, or other detectors can also be utilized.Analysis results therefrom can be used in an absolute manner, where afirst testing result indicating executable code confirms Downloadabledetection, which result is then sent to control 506. Alternatively,however, composite results from such analyses can also be sent tocontrol 506 for evaluation. Control 506 can further conduct suchevaluation in a summary manner (determining whether a Downloadable isdetected according to a majority or minimum number of indicators), orbased on a weighting of different analysis results. Operation thencontinues as indicated above. (Such analysis can also be conducted inaccordance with aspects of a destination user device or otherparameters.)

[0093]FIG. 6a illustrates more specific examples ofindicators/parameters and known (or “knowledge base”) elements that canbe utilized to facilitate the above-discussed system 400 configurabilityand detection. For clarity sake, indicators, parameters and knowledgebase elements are combined as indicated “parameters.” It will beappreciated, however, that the particular parameters utilized can differin accordance with a particular application, and indicators, parametersor known elements, where utilized, can vary and need not correspondexactly with one another. Any suitable explicit or referencing list,database or other storage structure(s) or storage structureconfiguration(s) can also be utilized to implement a suitableuser/device based protection scheme, such as in the above examples, orother desired protection schema.

[0094] Executable parameters 601 comprise, in accordance with the aboveexamples, executable file type parameters 611, executable codeparameters 612 and code pattern parameters 613 (including knownexecutable file type indicators, header/code indicators and patternsrespectively, where code patterns are utilized). Use parameters 602further comprise user parameters 621, system parameters 622 and generalparameters 623 corresponding to one or more users, user classifications,user-system correspondences or destination system, device or processes,etc. (e.g. for generating corresponding MPCs/policies, providing otherprotection, etc.). The remaining parameters include interface parameters631 for providing MPC/policy (or further) configurability in accordancewith a particular device or for enabling communication with a deviceuser (see below), and other parameters 632.

[0095]FIG. 6b illustrates a linking engine 405 according to anembodiment of the invention. As already discussed, linking engine 405includes a linker for combining MPCs, policies or agents viaconcatination or other suitable processing in accordance with an OS, JVMor other host executor or other applicable factors that might apply.Linking engine 405 also includes the aforementioned post-detectionprocessor which, in this example, comprises a compressor 508. As noted,compressor 508 receives linked elements from linker 507 and, where apotential-Downloadable corresponds to a compressed file that wasinflated during detection, re-forms the compressed file. (Known fileinformation can be provided via configuration parameters, substantiallyreversal of inflating or another suitable method.) Encryption or otherpost-detection processing can also be conducted by linking engine 508.

[0096]FIGS. 7a, 7 b and 8 illustrate a “sandbox protection” system, asoperable within a receiving destination-device, according to anembodiment of the invention.

[0097] Beginning with FIG. 7a, a client 146 receiving sandbox package340 will “recognize” sandbox package 340 as a (mobile) executable andcause a mobile code installer 711 (e.g. an OS loader, JVM, etc.) to beinitiated. Mobile code installer 711 will also recognize sandbox package340 as an executable and will attempt to initiate sandbox package 340 atits “beginning.” Protection engine 400 processing corresponding todestination 700 use of a such a loader, however, will have resulted inthe “beginning” of sandbox package 340 as corresponding to the beginningof MPC 341, as noted with regard to the above FIG. 4 example.

[0098] Such protection engine processing will therefore cause a mobilecode installer (e.g. OS loader 711, for clarity sake) to initiate MPC341. In other cases, other processing might also be utilized for causingsuch initiation or further protection system operation. Protectionengine processing also enables MPC 341 to effectively form a protection“sandbox” around Downloadable (e.g. detected-Downloadable or “XEQ”) 343,to monitor Downloadable 343, intercept determinable Downloadable 343operation (such as attempted accesses of Downloadable 343 to destinationresources) and, if “malicious”, to cause one or more other operations tooccur (e.g. providing an alert, offloading the Downloadable, offloadingthe MPC, providing only limited resource access, possibly in aparticular address space or with regard to a particularly “safe”resource or resource operation, etc.).

[0099] MPC 341, in the present OS example, executes MPC elementinstallation and installs any policies, causing MPC 341 and protectionpolicies 342 to be loaded into a first memory space, P1. MPC 341 theninitiates loading of Downloadable 343. Such Downloadable initiationcauses OS loader 711 to load Downloadable 343 into a further workingmemory space-P2 703 along with an API import table (“IAT”) 731 forproviding Downloadable 631 with destination resource accesscapabilities. It is discovered, however that the IAT can be modified sothat any call to an API can be redirected to a function within the MPC.The technique for modifying the IAT is documented within the MSDN(Microsoft Developers Network) Library CD in several articles. Thetechnique is also different for each operating system (e.g. betweenWindows 9× and Windows NT), which can be accommodated by agent generatorconfigurability, such as that given above. MPC 341 therefore has atleast initial access to API IAT 731 of Downloadable 632, and providesfor diverting, evaluating and responding to attempts by Downloadable 632to utilize system APIs 731, or further in accordance with protectionpolicies 342. In addition to API diverting, MPC 341 can also installfilter drivers, which can be used for controlling access to resourcessuch as a Downloadable-destination file system or registry. Filterdriver installation can be conducted as documented in the MSDN or usingother suitable methods.

[0100] Turning to FIG. 8 with reference to FIG. 7b, an MPC 341 accordingto an embodiment of the invention includes a package extractor 801,executable installer 802, sandbox engine installer 803, resource accessdiverter 804, resource access (attempt) analyzer 805, policy enforcer806 and MPC de-installer 807. Package extractor 801 is initiated uponinitiation of MPC 341, and extracts MPC 341 elements and protectionpolicies 342. Executable installer 802 further initiates installation ofa Downloadable by extracting the downloadable from the protectedpackage, and loading the process into memory in suspended mode (so itonly loads into memory, but does not start to run). Such installationfurther causes the operating system to initialize the Downloadable's IAT731 in the memory space of the downloadable process, P2, as alreadynoted.

[0101] Sandbox engine installer 803 (running in process space P1) theninstalls the sandbox engine (803-805) and policies 342 into thedownloadable process space P2. This is done in different way in eachoperating system (e.g. see above). Resource access diverter 804 furthermodifies those Downloadable-API IAT entries that correspond withprotection policies 342, thereby causing corresponding Downloadableaccesses via Downloadable-API IAT 731 to be diverted resource accessanalyzer 805.

[0102] During Downloadable operation, resource access analyzer or “RAA”805 receives and determines a response to diverted Downloadable (i.e.“malicious”) operations in accordance with corresponding protectionpolicies of policies 342. (RAA 805 or further elements, which are notshown, can further similarly provide for other security mechanisms thatmight also be implemented.) Malicious operations can for exampleinclude, in a Windows environment: file operations (e.g. reading,writing, deleting or renaming a file), network operations (e.g. listenon or connect to a socket, send/receive data or view intranet), OSregistry or similar operations (read/write a registry item), OSoperations (exit OS/client, kill or change the priority of aprocess/thread, dynamically load a class library), resource usagethresholds (e.g. memory, CPU, graphics), etc.

[0103] Policy enforcer 806 receives RAA 805 results and causes acorresponding response to be implemented, again according to thecorresponding policies. Policy enforcer 806 can, for example, interactwith a user (e.g. provide an alert, receive instructions, etc.), createa log file, respond, cause a response to be transferred to theDownloadable using “dummy” or limited data, communicate with a server orother networked device (e.g. corresponding to a local or remoteadministrator), respond more specifically with a better knownDownloadable, verify accessibility or user/system information (e.g. vialocal or remote information), even enable the attempted Downloadableaccess, among a wide variety of responses that will become apparent inview of the teachings herein.

[0104] The FIG. 9 flowchart illustrates a protection method according toan embodiment of the invention. In step 901, a protection enginemonitors the receipt, by a server or other re-communicator ofinformation, and receives such information intended for a protectedinformation-destination (i.e. a potential-Downloadable) in step 903.Steps 905-911 depict an adjunct trustworthiness protection that can alsobe provided, wherein the protection engine determines whether the sourceof the received information is known to be “unfriendly” and, if so,prevents current (at least unaltered) delivery of thepotential-Downloadable and provides any suitable alerts. (The protectionengine might also continue to perform Downloadable detection andnevertheless enable delivery or protected delivery of anon-Downloadable, or avoid detection if the source is found to be“trusted”, among other alternatives enabled by the teachings herein.)

[0105] If, in step 913, the potential-Downloadable source is found to beof an unknown or otherwise suitably authenticated/certified source, thenthe protection engine determines whether the potential-Downloadableincludes executable code in step 915. If the potential-Downloadable doesnot include executable code, then the protection engine causes thepotential-Downloadable to be delivered to the information-destination inits original form in step 917, and the method ends. If instead thepotential-Downloadable is found to include executable code in step 915(and is thus a “detected-Downloadable”), then the protection engineforms a sandboxed package in step 919 and causes the protection agent tobe delivered to the information-Destination in step 921, and the methodends. As was discussed earlier, a suitable protection agent can includemobile protection code, policies and the detected-Downloadable (orinformation corresponding thereto).

[0106] The FIG. 10a flowchart illustrates a method for analyzing apotential-Downloadable, according to an embodiment of the invention. Asshown, one or more aspects can provide useful indicators of theinclusion of executable code within the potential-Downloadable. In step1001, the protection engine determines whether thepotential-Downloadable indicates an executable file type, for example,by comparing one or more included file headers for file type indicators(e.g. extensions or other descriptors). The indicators can be comparedagainst all known file types executable by all protected Downloadabledestinations, a subset, in accordance with file types executable ordesirably executable by the Downloadable-destination, in conjunctionwith a particular user, in conjunction with available information oroperability at the destination, various combinations, etc.

[0107] Where content analysis is conducted, in step 1003 of FIG. 10a,the protection engine analyzes the potential-Downloadable and determinesin accordance therewith whether the potential-Downloadable does or islikely to include binary information, which typically indicatesexecutable code. The protection engine further analyzes thepotential-Downloadable for patterns indicative of included executablecode in step 1003. Finally, in step 1005, the protection enginedetermines whether the results of steps 1001 and 1003 indicate that thepotential-Downloadable more likely includes executable code (e.g. viaweighted comparison of the results with a suitable level indicating theinclusion or exclusion of executable code). The protection engine, givena suitably high confidence indicator of the inclusion of executablecode, treats the potential-Downloadable as a detected-Downloadable.

[0108] The FIG. 10b flowchart illustrates a method for forming asandboxed package according to an embodiment of the invention. As shown,in step 1011, a protection engine retrieves protection parameters andforms mobile protection code according to the parameters. The protectionengine further, in step 1013, retrieves protection parameters and formsprotection policies according to the parameters. Finally, in step 1015,the protection engine couples the mobile protection code, protectionpolicies and received-information to form a sandboxed package. Forexample, where a Downloadable-destination utilizes a standard windowsexecutable, coupling can further be accomplished via concatenating theMPC for delivery of MPC first, policies second, and received informationthird. (The protection parameters can, for example, include parametersrelating to one or more of the Downloadable destination device/process,user, supervisory constraints or other parameters.)

[0109] The FIG. 11 flowchart illustrates how a protection methodperformed by mobile protection code (“MPC”) according to an embodimentof the invention includes the MPC installing MPC elements and policieswithin a destination device in step 1101. In step 1102, the MPC loadsthe Downloadable without actually initiating it (i.e. for executables,it will start a process in suspended mode). The MPC further forms anaccess monitor or “interceptor” for monitoring or “intercepting”downloadable destination device access attempts within the destinationdevice (according to the protection policies in step 1103, and initiatesa corresponding Downloadable within the destination device in step 1105.

[0110] If, in step 1107, the MPC determines, from monitored/interceptedinformation, that the Downloadable is attempting or has attempted adestination device access considered undesirable or otherwise malicious,then the MPC performs steps 1109 and 1111; otherwise the MPC returns tostep 1107. In step 1109, the MPC determines protection policies inaccordance with the access attempt by the Downloadable, and in step1111, the MPC executes the protection policies. (Protection policiescan, for example, be retrieved from a temporary, e.g. memory/cache, ormore persistent storage.)

[0111] As shown in the FIG. 12a example, the MPC can provide forintercepting Downloadable access attempts by a Downloadable byinstalling the Downloadable (but not executing it) in step 1201. Suchinstallation will cause a Downloadable executor, such as a the Windowsoperating system, to provide all required interfaces and parameters(such as the IAT, process ID, etc.) for use by the Downloadable toaccess device resources of the host device. The MPC can thus causeDownloadable access attempts to be diverted to the MPC by modifying theDownloadable IAT, replacing device resource location indicators withthose of the MPC (step 1203).

[0112] The FIG. 12b example further illustrates an example of how theMPC can apply suitable policies in accordance with an access attempt bya Downloadable. As shown, the MPC receives the Downloadable accessrequest via the modified IAT in step 1211. The MPC further queriesstored policies to determine a policy corresponding to the Downloadableaccess request in step 1213.

[0113] The foregoing description of preferred embodiments of theinvention is provided by way of example to enable a person skilled inthe art to make and use the invention, and in the context of particularapplications and requirements thereof. Various modifications to theembodiments will be readily apparent to those skilled in the art, andthe generic principles defined herein may be applied to otherembodiments and applications without departing from the spirit and scopeof the invention. Thus, the present invention is not intended to belimited to the embodiments shown, but is to be accorded the widest scopeconsistent with the principles, features and teachings disclosed herein.The embodiments described herein are not intended to be exhaustive orlimiting. The present invention is limited only by the following claims.

What is claimed is:
 1. A method, comprising: receivingdownloadable-information, determining whether thedownloadable-information includes executable code; and causing mobileprotection code to be communicated to at least oneinformation-destination of the downloadable-information, if thedownloadable-information is determined to include executable code. 2.The method of claim 1, wherein the receiving includes monitoringreceived information of an information re-communicator.
 3. The method ofclaim 2, wherein the information re-communicator is a network server. 4.The method of claim 1, wherein the determining comprises analyzing thedownloadable-information for an included type indicator indicating anexecutable file type.
 5. The method of claim 1, wherein the determiningcomprises analyzing the downloadable-information for an included anincluded type detector indicating an archive file that contains at leastone executable.
 6. The method of claim 1, wherein the determiningcomprises analyzing the downloadable-information for an included filetype indicator and an information pattern corresponding to one or moreinformation patterns that tend to be included within executable code. 7.The method of claim 1, further comprising receiving one or moreexecutable code characteristics of executable code that is capable ofbeing executed by the information-destination, and wherein thedetermining is conducted in accordance with the executable codecharacteristics.
 8. The method of claim 1, wherein the determiningcomprises performing one or more analyses of thedownloadable-information, the analyses producing detection-indicatorsindicating whether a correspondence is detected between adownloadable-information characteristic and at least one respectiveexecutable code characteristic, and evaluating the detection-indicatorsto determine whether the downloadable-information includes executablecode.
 9. The method of claim 8, wherein at least one of thedetection-indicators indicates a level of downloadable-informationcharacteristic and executable code characteristic correspondence. 10.The method of claim 8, wherein the evaluating includes assigning aweighted level of importance to at least one of the indicators.
 11. Themethod of claim 1, wherein the causing mobile protection code to becommunicated comprises forming a sandboxed package including the mobileprotection code and the downloadable-information, and causing thesandboxed package to be communicated to the at least oneinformation-destination.
 12. The method of claim 10, wherein thesandboxed package is formed such that the mobile protection code will beexecuted by the information-destination before thedownloadable-information.
 13. The method of claim 11, wherein thesandboxed package further includes protection policies according towhich the mobile protection code is operable.
 14. The method of claim13, wherein the sandboxed package is formed for receipt by theinformation-destination such that the mobile protection code is receivedbefore the downloadable-information, and the downloadable informationbefore the protection policies.
 15. The method of claim 13, wherein theprotection policies correspond with at least one of theinformation-destination and a user of the information destination.
 16. Asystem, comprising: an information monitor for receivingdownloadable-information; a content inspection engine communicativelycoupled to the information monitor for determining whether thedownloadable-information includes executable code; and a protectionagent engine communicatively coupled to the content inspection enginefor causing mobile protection code (“MPC”) to be communicated to atleast one information-destination of the downloadable-information, ifthe downloadable-information is determined to include executable code.17. The system of claim 16, wherein the information monitor interceptsreceived information received by an information re-communicator.
 18. Thesystem of claim 17, wherein the information re-communicator is a networkserver.
 19. The system of claim 16, wherein the content inspectionengine comprises a file type detector for determining whether thedownloadable-information includes a file type indicator indicating anexecutable file type.
 20. The system of claim 16, wherein the contentinspection engine comprises a parser for parsing thedownloadable-information and a content analyzer communicatively coupledto the parser for determining whether one or moredownloadable-information elements of the downloadable-informationcorrespond with executable code elements are executable code elements.21. The system of claim 16, wherein the content inspection enginecomprises one or more downloadable-information analyzers for analyzingthe downloadable-information, each analyzer producing therefrom adetection indicator indicating whether a downloadable-informationcharacteristic corresponds with an executable code characteristic, andan inspection controller communicatively coupled to the analyzers fordetermining whether the indicators indicate that thedownloadable-information includes executable code.
 22. The system ofclaim 21, wherein at least one of the detection-indicators indicates alevel of downloadable-information characteristic and executable codecharacteristic correspondence.
 23. The system of claim 21, wherein theevaluating includes assigning a weighted level of importance to at leastone of the detection-indicators.
 24. The system of claim 16, wherein thesandboxed package engine comprises an MPC generator for providing theMPC, a linking engine coupled to the MPC generator for forming aprotection agent including the MPC and the downloadable-information, anda transfer engine for causing the protection agent to be communicated tothe at least one information-destination.
 25. The system of claim 24,wherein the protection agent engine further comprises a policy generatorcommunicatively coupled to the linking engine for providing protectionpolicies according to which the MPC is operable.
 26. The system of claim25, wherein the sandboxed package is formed for receipt by theinformation-destination such that the mobile protection code is executedbefore the downloadable-information.
 27. The system of claim 26, whereinthe protection policies correspond with policies of at least one of theinformation-destination and a user of the information destination.
 28. Asystem, comprising: means for receiving downloadable-information; meansfor determining whether the downloadable-information includes executablecode; and means for causing mobile protection code to be communicated toat least one information-destination of the downloadable-information, ifthe downloadable-information is determined to include executable code.29. A computer-readable storage medium storing program code for causinga computer to perform the steps of: receiving downloadable-information;determining whether the downloadable-information includes executablecode; and causing mobile protection code to be communicated to at leastone information-destination of the downloadable-information, if thedownloadable-information is determined to include executable code.
 30. Amethod, comprising: receiving, at an information re-communicator,downloadable-information, including executable code; and causing mobileprotection code to be executed by a mobile code executor at adownloadable-information destination such that one or more operations ofthe executable code at the destination, if attempted, will be processedby the mobile protection code.
 31. The method of claim 30, wherein themobile code executor is a Java Virtual Machine.
 32. The method of claim30, wherein the mobile code executor is the operating system, runningnative code executables.
 33. The method of claim 30, wherein the mobilecode executor is ActiveX subsystem of the windows operating system 34.The method of claim 30, wherein the mobile code executor is theMicrosoft Windows scripting host
 35. The method of claim 30, wherein thecausing is accomplished by forming a sandboxed package including themobile protection code and the downloadable-information, and causing thesandboxed package to be delivered to the downloadable-informationdestination.
 36. The method of claim 35, wherein the sandboxed packagefurther includes protection policies according to which the processingby the mobile protection code is conducted.
 37. A sandboxed packageformed according to the method of claim
 35. 38. A sandboxed packageformed according to the method of claim
 36. 39. The method of claim 36,wherein the forming comprises generating the mobile protection code,generating the sandboxed package, and linking the mobile protectioncode, protection policies and downloadable-information.
 40. The methodof claim 39, wherein the generating of at least one of the mobileprotection code and the protection policies is conducted in accordancewith one or more destination-characteristics of the destination.
 41. Themethod of claim 40, wherein the destination-characteristics includecharacteristics corresponding to at least one of a destination user, adestination device and a destination process.
 42. The method of claim35, wherein the causing the sandboxed package to be executed includescommunicating the sandboxed package to a communication buffer of theinformation re-communicator.
 43. The method of claim 30, wherein there-communicator is at least one of a firewall and a network server. 44.The method of claim 30, wherein the sandboxed package has a same filetype as the downloadable-information, thereby causing the mobile codeexecutor to be unaware that the protected package is not a normaldownloadable.
 45. The method of claim 44, wherein the sandboxed packageis formed using concatenation of a mobile protection code, a policy, anda downloadable.
 46. The method of claim 30, wherein executing the mobileprotection code at the destination causes downloadable interfaces toresources at the destination to be modified such that at least oneattempted operation of the executable code is diverted to the mobileprotection code.
 47. A system, comprising: receiving means forreceiving, at an information re-communicator, downloadable-information,including executable code; and mobile code means communicatively coupledto the receiving means for causing mobile protection code to be executedby a mobile code executor at a downloadable-information destination suchthat one or more operations of the executable code at the destination,if attempted, will be processed by the mobile protection code.
 48. Thesystem of claim 47, wherein the mobile code executor is a Java VirtualMachine.
 49. The system of claim 47, wherein the mobile code executor isan operating system, running native code executables.
 50. The system ofclaim 47, wherein the mobile code executor is an ActiveX subsystem ofthe windows operating system.
 51. The system of claim 47, wherein themobile code executor is a Microsoft Windows scripting host.
 52. Thesystem of claim 47, wherein the causing is accomplished by forming asandboxed package including the mobile protection code and thedownloadable-information, and causing the sandboxed package to bedelivered to the downloadable-information destination.
 53. The system ofclaim 52, wherein the sandboxed package further includes protectionpolicies according to which the processing by the mobile protection codeis conducted.
 54. The system of claim 53, wherein the forming comprisesgenerating the mobile protection code, generating the protectionpolicies, and linking the mobile protection code, protection policiesand downloadable-information.
 55. The system of claim 54, wherein thegenerating of at least one of the mobile protection code and theprotection policies is conducted in accordance with one or moredestination-characteristics of the destination.
 56. The system of claim55, wherein the destination-characteristics include characteristicscorresponding to at least one of a destination user, a destinationdevice and a destination process.
 57. The system of claim 46, whereinthe causing the sandboxed package to be executed includes communicatingthe sandboxed package to a communication buffer of the informationre-communicator.
 58. The system of claim 47, wherein the re-communicatoris at least one of a firewall and a network server.
 59. The system ofclaim 47, wherein executing the mobile protection code at thedestination causes downloadable interfaces a resource at the destinationto be modified such that at least one attempted operation of theexecutable code is diverted to the mobile protection code.
 60. Acomputer-readable storage medium storing program code for causing acomputer to perform the steps of: receiving, at an informationre-communicator, downloadable-information, including executable code;and causing mobile protection code to be executed by a mobile codeexecutor at a downloadable-information destination such that one or moreoperations of the executable code at the destination, if attempted, willbe processed by the mobile protection code.
 61. A method, comprising:receiving mobile protection code (“MPC”) and a Downloadable at aDownloadable-destination; causing, by the MPC, one or more operationsattempted by the Downloadable to be received by the MPC; receiving, bythe MPC, an attempted operation of the Downloadable; and initiating, bythe MPC, a protection policy corresponding to the attempted operation.62. The method of claim 61, wherein the receiving comprises receiving asandboxed package that includes the MPC, the Downloadable and one ormore protection policies.
 63. The method of claim 62, wherein thesandboxed package is configured such that the MPC is executed first, theDownloadable is executed by the MPC and the protection policies areaccessible to the MPC.
 64. The method of claim 61, wherein the causingcomprises modifying, by the MPC, interfaces of a correspondingdownloadable to resources at the destination.
 65. The method of claim64, wherein the modifying is accomplished by initiating a loading of theDownloadable, thereby causing a mobile code executor to provide andinitialize the interfaces, modifying one or more interface elements todivert corresponding attempted Downloadable operations to the MPC, andinitiating execution of the Downloadable.
 66. The method of claim 64,wherein the interfaces comprise an import address table (“IAT”) of anative code executable downloadable.
 67. The method of claim 64, whereinmodifying the interfaces installs a filter-driver between thedownloadable and the resources.
 68. A system, comprising: a mobile codeexecuter for initiating received mobile code; and a sandboxed packagecapable of being received and initiated by the mobile code executer, thesandboxed package including a Downloadable and mobile protection code(“MPC”) for causing one or more Downloadable operations to beintercepted and for processing the intercepted operations, if theDownloadable attempts to initiate the operations.
 69. The system ofclaim 60, wherein the MPC comprises: an MPC installer for causing MPCelements to be installed; a Downloadable installer communicativelycoupled to the MPC element installer for installing the Downloadable; aresource access diverter communicatively coupled to the MPC installerfor causing the Downloadable operations to be intercepted; a resourceaccess analyzer communicatively coupled to the MPC installer forreceiving an intercepted Downloadable operation and determining aprotection policy corresponding to the intercepted Downloadableoperation; and a policy enforcer communicatively coupled to the resourceaccess analyzer for processing the intercepted Downloadable operation.70. The system of claim 69, wherein the resource access divertermodifies one or more elements of an interface usable by the Downloadableto effectuate the Downloadable operations.
 71. The system of claim 69,wherein the mobile code executer is a Java Virtual Machine.
 72. Thesystem of claim 69, wherein the mobile code executor is an operatingsystem, running native code executables.
 73. The system of claim 69,wherein the mobile code executor is an ActiveX subsystem of the windowsoperating system.
 74. The system of claim 69, wherein the mobile codeexecutor is an Microsoft Windows scripting host.
 75. A system,comprising receiving means for receiving mobile protection code (“MPC”)and a Downloadable at a Downloadable-destination; monitoring means forcausing, by the MPC, one or more operations attempted by theDownloadable to be received by the MPC; second receiving meansreceiving, by the MPC, an attempted operation of the Downloadable; andinitiating means for initiating, by the MPC, a protection policycorresponding to the attempted operation.
 76. A computer-readablestorage medium storing program code for causing a computer to performthe steps of: receiving mobile protection code (“MP C”) and aDownloadable at a Downloadable-destination; causing, by the MPC, one ormore operations attempted by the Downloadable to be received by the MPC;receiving, by the MPC, an attempted operation of the Downloadable; andinitiating, by the MPC, a protection policy corresponding to theattempted operation.